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Routing in virtual private network 
Field of the invention 

5 The invention relates to the technical field of TCP/IP routing and forwarding and relates 
especially to concepts within virtual private networks (VPNs). 

The main applications for the invention are IP routers with high VPN scalabll'iiy 
demands, such as the GGSN (Gateway GPRS Switching Node) in GPRS (General 
10 Packet Radio Service) networks. The invention relates to WPP 5.0 (Wireless Packet 
Platform). 

Background of the invention 

1 5 A Virtual Private Network (VPN) is an extension to a network that is remotely 

administrated. This network is carried over the local network via tunnelling, either in 
protocols that either can be IP based or not IP based (for example ATM). When 
extending these networks into mobile packet data networks, a single node must handle a 
large number of VPNs. This implicates that the management and configuration of all 

20 these extensions to the VPNs has to be managed by the operator managing the mobile 
packet network. In for example GPRS (General Packet Radio Service), the GGSN 
(Gateway GPRS Switching Node) connects the mobilenetwork to the remoteiy 
administrated network. Figure 1 depicts a schematic overview of such a GPRS network 
with the GGSN. 

25 

Figure 2 depicts an example with traffic between two mobile stations. This example 
shows that the administrator of the GGSN has to manage the packet filtering rules that 
protects the mobile stations from each other. The traffic between mobile stations cannot 
be monitored from a remotely administrated network. 

30 

One known solution is based on an implementation of packet filtering doing packet 
forwarding. By defining a packet filter that forwards all traffic from one interface or tunnel 
to another interface or tunnel, the routing information in the forwarding table will not be 
considered and the traffic can be forced to a remote network. 

35 

. Another known WPP solution to the problem is to directly map traffic from one 
interface/tunnel into another interface or tunnel, without making a forwarding decision 

1 
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based on the destination IP address. This known solution is called APN (Access Point 
Name) Routing. 

The disadvantage with the above solutions is poor redundancy, since the packet filters 
5 (or mapping table) are not dynamically updated and the interface or tunnel that the 
packets are forwarded to might be unavailable due to link or network problems. 

Fig. 3 shows two nodes A and B and a router R being physically connected to an 
Ethernet segment ETH S. Two virtual private networks VPN_1 and VPN_2 are 
10 implemented over the common Ethernet segment ETH_S. Node A comprises a first and 
a second IP interface IPJF1 and IPJF2. The IP interfaces IPJF1 and IP_IF2 at the IP 
layer 3 are mapped to the given unique layer 2 MAC (Media Access Control) Ethernet 
address ETHJF1 by means of the ARP (automatic Request Protocol) protocol. 

15, Likewise interfaces IPIF3 and IPJF4 are mapped to Ethernet interface ETHJF2 of node 
B. IP interfaces IPJF5 and IPJF6 is mapped to ETHJF2 on router RT. 

IPJF1 of node A forms a first virtual private network VPN_1 with IPJF3 of node B. 
IPJF4 of node B forms a second virtual private network VPN_2 with IPJF6 of router RT. 
20 IP Packets may be communicated between the respective IP interfaces over the 

respective VPN's. To the various IP interfaces of each respective VPN it appears that 
the Ethernet segment is exclusive. 

Fig. 4 shows an exemplary IP packet delivered from IP interface IPJF3 to IPJF1 on 
25 VPN_1 for the network shown in fig. 3. The IP packet is encapsulated in an Ether packet 
with source address ETHJF2 and destination address ETHJF1 . It has an Ethernet type 
identification of type "VLAN" - Virtual Local Area Network - and carries a corresponding 
network identifier VPN_1 and a second Ethernet type identifier IPv4 pertaining to the 
version of the IP protocol being used. In the Ethernet payload ETH_PL there is provided 
30 the IP source and destination addresses mentioned above and the IP payload. The 
packet is ended by an Ethernet cyclical redundancy check value ETH CRC. 

In fig. 5 an exemplary prior art network has been shown comprising a router RT 
providing a first virtual private network VPN_1 via forwarding table VRF_1 providing 
35 interconnectivity for IP interfaces IPJF1 , IPJF2 and IPJF3. The router moreover 
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provides a second virtual private network VPN_2 via forwarding table VRF_2 providing 
interconnectivity for IP interfaces IPJF5 and IPJF6. 

5 Summary of the invention 

It is first object of the invention to set forth a router that allows for selective routing 
depending on traffic direction. 

10 This object has been accomplished by claim 1 . 

It is a secondary object to set forth a router that allows for communication between 
various private networks. 

15 This object has been accomplished by claim 2. 

It is a third object to set forth a system allowing for forced traffic over a specific interface. 

This object has been accomplished by claim 6. 

20 

It is a fourth object to set forth a system in which packet control is deferred to a 
corporate network. 

This object has been accomplished by claim 7. 

25 

According to a further aspect of the invention, in order to increase the security in a VPN 
network it is desired that all traffic (i.e. IP packets) from mobile terminals always shall go 
via the home network. This gives the VPN administrator the possibility to specify the 
packet filtering rules to be applied both for traffic destined to a mobile terminal, as well 
30 as for traffic coming from a mobile terminal. This is independent of whether the packets 
are destined to the same mobile network extension as the packet originated from, or not. 
Without forcing traffic to the home network, the packet filtering rules would have to be 
configured by the operator of the mobile extension to the VPN network instead of the 
administrator of the home network. 

35 
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Further advantages of the invention will appear from the following detailed description of 
preferred embodiments of the invention. 

5 Brief description of the drawings 

Fig. 1 shows an overall diagram of the GPRS network architecture, 
fig. 2 shows a known method of performing routing in a GPRS network, 

10 

fig. 3 shows a known way of implementing virtual private networks (VPN) on an Ethernet 
segment, 

fig. 4 shows a packet used in fig. 3, 

15 

fig. 5 shows a prior art router providing two VPN networks, 

fig. 6 shows a first embodiment of a router according to the invention, 

20 

fig. 7 shows a second embodiment of a VPN network according the invention including a 
packet flow form a node A to a node B, 

fig. 8 shows the same VPN network as in fig 7, including a packet flow form a node B to 
25 a node A, 

fig. 9 shows an application of the present invention in a GPRS network, and 

fig. 10 shows a fourth embodiment according to the invention. 

30 

> 

Detailed description of preferred embodiments of the invention 

According to the invention, multiple VRF's (VPN Routing/Forwarding instances) are used 
35 per IP interface. An IP interface can for example be a bi-directional IP-in-IP tunnel or an 
IP-over-Ethernet interface. The forwarding table that is used to route traffic from a given 
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interface may not route traffic to the same IP interface. This distinction makes it possible 
to let traffic in one direction belong to one VRF and traffic in the other direction belong to 
another VRF. Furthermore, if the interface has multiple peers, each peer end-point can 
belong to different VRF's. 

5 

Fig. 6 shows a first embodiment of the invention, comprising a router RT comprising 
router tables VRF_1 and VRF_2 and IP interfaces IPJF1 , providing access to a GTP 
tunnel GTP_A, which connects to a first mobile station MS_A and IP interface IPJF2, 
providing access to a second GTP tunnel GTP_B that connects to mobile station MS_B. 
10 The router moreover comprises a third IP interface IPJF3 that connects to GRE tunnel 
GRE_RT providing connection to a VPN access net, such as a corporate Intranet. 

As indicated by the arrows, forwarding table VRF_1 routes packets form IP interface 
IPJF3 to IP interface IPJF1 and IPJF2 depending on which mobile station the given 
15 packet is intended for. Forwarding table VRF_2 route packets from source MS_A and 
MSJB to IP interface IPJF3 and further to the VPN access net. Thereby, the traffic 
between mobile stations MS_A and MS_B can be controlled by the VPN access net. 

Fig. 7 shows a further embodiment of the invention in which a first router RT connects to 
20 an Ethernet segment ETH_S via IP interfaces IPJF1 , IPJF2 and IPJF3, forming 
respective virtual private networks VLAN1, VLAN2 and VLAN3 and an Ether router 
interface ETHJF. The first router comprises a first forwarding table VRF_1 and 
forwarding table VRF2. 

25 A node A connects to the router via virtual local area network VLAN1 and a node B 
connects to the router via virtual local network VLAN2 over the common Ethernet 
segment ETH_S. 

A second router R comprising forwarding table VRF_T connects VLAN3 over the 
30 common Ethernet segment ETH_S. The second router also connects to the Internet. 

Forwarding tables VRF_1 defines for destination A a next hop of IP interface IPJF1 and 
for destination node B IP interface IF2. Forwarding tables VRF_2 defines interface 
IPJF3 as default next hop address. Forwarding table VRF_R defines IP interface IPIFJ3 
35 for both destinations A and B. 
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A packet sent from mobile station A to B is forwarded along arrow 10 through IP 
interface IPIFJ to forwarding table VRF_2 and further on to IP interface IPIFJ3 to router 
R, arrow 20, and back again to IP interface IPIF_3 and to forwarding table VRFJ. 
Forwarding table VRF_1 defines IP interface IPIF_2 as next hop for destination B, and 
5 consequently the packet is transmitted to node B along arrow 30. 

The router is being configured such that in the event that a mobile station on one 
interface IPJF1 is communicating with a mobile station on interface 1PJF2, the traffic 
may be routed via the second interface IPJF3. 

10 

In fig. 8 the opposite path of transmitting a packet has been shown as indicated by 
arrows 40, 50 and 60. 

It should be understood that the many other technologies that Ethernet could be used on 
15 the data link layer. 

As shown above, the forwarding table for a VRF can only have routes to interfaces that 
in the outbound direction belong to the VRF. The question of which VRF to use for the 
forwarding decision is selected from the VRF configuration for the inbound direction of 
20 the receiving interface. The definition of interfaces in both outbound and inbound 
direction can be extended to also consider the source and destination peers (can for 
instance be identified via link level addresses) to allow different VRFs for different 
remote peers (for example routers) on a multi-access link. 

25 The distinction between inbound and outbound direction provides the possibility that an 
interface can be used by multiple VRFs in the outbound direction. That is, several VRFs 
can use the same outbound link. In figure 7, it is shown how both VRF_J and VRFJ2 
use the same outbound link, for instance IPIFJ3. This feature is very useful together with 
broadcast and multicast based services. One example is that it makes it possible to have 

30 a separate multicast VPN that gives multicast services that several other VPNs can use. 
Traffic from the multicast network can be forwarded into another VPN where the end- 
users of the service are connected. The benefit of doing this is that the common services 
between the networks can use one common network architecture that enables more 
efficient use of the transport links. This is how multicast networks are used to give better 

35 performance, but multicast sen/ices are currently not possible to share between VPNs 
and this invention provides a solution to the problem. 

6 
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The main problem in WPP solved by the invention is that it allows GGSN nodes to defer 
packet filtering to a remote network to decrease the need of packet filtering 
configurations for the manager of the GGSN node. The present invention provides a 
5 scalable routing solution towards the external networks. 

Figure 9 depicts a third preferred embodiment of the invention in which traffic between 
two mobile stations MS#1 and MS#2, belonging to the same corporate network as the 
router holding VRF#23, according to the invention. VRF#37 and VRF#42 are used in 

10 the GGSN and VRF#23 is used in the router. The invention is used in the GGSN. For 
traffic from the mobile stations VRF#42 is used. For traffic from the router VRF#37 is 
used. VRF#42 has the Router as next hop for all the routes in the forwarding table. This 
means that all traffic from the mobiles is sent to the router. VRF#37 has the SGSN 
(Serving GPRS Support Node) as next hop for the two mobile stations. This means 

15 traffic from the Router destined to the Mobile Stations are sent to the SGSN. Traffic from 
the router which is not destined to the Mobile Stations are sent back to the router as the 
forwarding table for VRF#37 has an default route pointing out the router as next hop for 
all traffic which is not destined to the mobile stations. The router only has one VRF 
(VRF#23) for all its interfaces. The router is a normal router. A packet sent from one of 

20 the mobile station destined to the other mobile station is sent to the GGSN via the 

SSGN. The GGSN performs a forwarding lookup (using the forwarding table of VRF#42) 
and then routes the packet to the router. The router performs a forwarding lookup and 
routes the traffic back to the GGSN as the forwarding table for VRF#23 points out the 
GGSN as next hop for the mobile stations. The GGSN once again makes a forwarding 

25 lookup (using the forwarding table of VRF#37) and then routes the packet to the SGSN. 
The SGSN delivers the packet to the receiving mobile station. It should be noted that, a 
third mobile station not belonging to the corporate network would not use the tunnel 
shown in fig. 3. Another parallel set of tunnels and forwarding tables would be set up. 

30 Figure 9 shows an example of how the Network Management responsibilities can be 
divided between different administrators. In this figure, the mobile stations MS#1 , MS#2 
and the router holding \/RF#23 belong to the same corporate network, designated 
"Corporate", and all administration for this network is handled by the corporate network 
administrator. By way of example, a first operator, Operator 1, controls the SGSN node 

35 and a second operator, Operator 2, controls the GGSN node. There is a clear separation 
between GPRS network administration and the administration of the corporate network. 
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This example also shows, when applicable, the separation between the SGSN and 
GGSN operators. It is a strong business case for an operator to provide the corporate 
networks with a service, making it possible for the corporate network administrator to 
configure the packet filters for the mobile stations and monitor all traffic to and from 
5 mobile stations. It is therefore a strong business case for a GGSN vendor to provide an 
operator with equipment implementing this invention. It should be noted that forwarding 
tables VRF#37 and VRF#42 are controlled by Operator 2 in accordance with whatever 
agreement exists between Corporate and Operator 2. 

10 The ability to route packets to the VRF in the opposite direction for an interface have 
been implemented. This is necessary to implement, if ICMP messages shall be 
supported. The VRF for the opposite direction is easy to find, since ICMP messages are 
generated for an outbound interface and the packet can then be handled as if it had 
arrived on that interface. The forwarding table in a VRF can be updated by a routing 

1 5 daemon. 

Routing daemons receive their routing information from different interfaces and can treat 
these interfaces as belonging to different routing areas. By separating the inbound and 
outbound direction of these interfaces, the routing protocol can be configured to filter 
20 which information to send to different interfaces. Thereby, the directions of the routing 
updates can be separated; if the routing protocol used for route announcements 
supports unidirectional links. 

The invention can for example be used for IPv4 and IPv6. Both IPv4 and IPv6 interfaces 
25 can be bi-directional or unidirectional. The present invention provides the possibility for a 
router (or host) to treat bi-directional interfaces as two uni-directional interfaces at the 
same time as the peer routers (or hosts) view the interface on the router (or host) as a 
bi-directional interface. In other words, the surrounding network environment is not 
affected by the use of the invention, if it is not deliberately used in such a way. 

30 

The invention has a high potential to solve many current and future problems in different 
areas of IP routing, since it is a fundamental change of how interfaces are treated in IP 
routing and forwarding environments. 
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Abbreviations 





ATM 


Asynchronous Transfer Mode 




APN 


In the GPRS backbone, an Access Point Name (APN) is a reference to a 


5 




GGSN. To support inter-PLMN roaming, the internal GPRS DNS functionality is 
used to translate the APN into the IP address of the GGSN. 




GGSN 


Gateway GPRS Support Node 




GPRS 


General Packet Radio Service 




GSM 


Global System for Mobile communication 


10 


ICMP 


Internet Control Message Protocol (RFC 792) 




IP 


Internet Protocol (RFC 791) 




IP IF 


IP interface 




SGSN 


Serving GPRS Support Node 




TCP 


Transmission Control Protocol (RFC 793) 


15 


TCP/IP 


Suite of protocols, including IP, TCP UDP, ICMP and other protocols 




UDP 


User Datagram Protocol (RFC 768) 




UMTS 


Universal Mobile Telephone System 




VPN 


Virtual Private Network. 




VRF 


VPN Routing/Forwarding instance 


20 


WPP 


Wireless Packet Platform 
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Patent claims 

1 . Router (RT) comprising at least two IP interfaces (IPIFJ ; IPIF_2; IPIF_3), 

whereby each IP interface is associated with a respective virtual private network 
5 (VPN1 ; VPN2; VPN3), the router moreover comprising at least two forwarding 

tables (VPFJ;VPF_2), 

whereby a first table (VPF J ; VPF2) is used for routing traffic towards a given 
interface (IPIF1; IPIF2; IPIF3), and 

10 

the second table (VPF_2; VPF1) is used for routing traffic appearing from the 
same given interface (IPIFJ; IPF_2; IPIFJ3). 



15 2. Router according to claim 2, wherein packets received on one IP interface (IPIFJ ; 
IPIF_2; IPIFJ3) and relating to one given virtual private network (VPN1; VPN2; 
VPN3) is forwarded to another IP interface (IPIFJ; IPIF_2; IPIF_3) relating to 
another virtual private network (VPN1; VPN2; VPN3). 



20 

3. Router according to any previous claim whereby a first IP interface (IPJF1) is 
coupling to a first tunnel (GTP_A) providing bi-directional connectivity to mobile 
stations and a second IP interface (IP JF3) is coupling to a tunnel (GREJRT) 
providing bi-directional connectivity to a corporate network. 

25 



4, Router according to claim 3, comprising a third interface (IPJF2) providing bi- 
directional connectivity to mobile stations, the router being configured such that in 
the event that a mobile station on one interface (IPJF1) is communicating with a 
30 mobile station on a third interface (IPJF2), the traffic is routed via the second 

interface (IPJF3). 



5. Router according to claim 4, wherein the packets from one mobile station (MS_A) 
35 to another mobile station (MS_B) is forwarded to a remote router (R), the remote 

router being adapted for taking a policy decision, such as to discard packets. 

10 
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6. Network comprising a router (RT) comprising at least two IP interfaces (IPIF_1 ; 
IPIF_2; IPIF_3), whereby each IP interface is associated with a respective virtual 

5 private network (VPN1 ; VPN2; VPN3), the router moreover comprising at least two 

forwarding tables (VPFJ ; VPF_2), 

whereby a first table (VPFJ ; VPF2) is used for routing traffic towards a given 
interface (IPIF1; IPIF2; IPIF3) and the second table (VPF_2; VPF1) is used for 
10 routing traffic appearing from the same given interface (IP1F_1 ; IPIF_2; IPIFJ3), 

wherein packets received on one IP interface (IPIF_1; IPIF_2; IPIF_3) and relating 
to one given virtual private network (VPN1 ; VPN2; VPN3) is forwarded to another 
IP interface (IPIF_1; IPIF_2; IPIF_3) relating to another virtual private 
15 network(VPN1 ; VPN2; VPN3), 

whereby a first IP interface (IPJF1) is coupling to a first tunnel (GTP_A) providing 
bi-directional connectivity to mobile stations and a second IP interface (IPJF3) is 
coupling to a tunnel (GREJRT) providing bi-directional connectivity to a corporate 
network, and whereby a third interface (IPJF2) is providing bi-directional 
connectivity to mobile stations, the router being configured such that in the event 
that a mobile station on the first interface (IPJF1) is communicating with a mobile 
station on the third interface (IPJF2), the traffic is routed via the second interface 
(IPJF3). 

7. Network according to claim 6 comprising a remote router, being configured such 
that packets from one mobile station (MS_A) to another mobile station (MS_B) is 
forwarded to said remote router (R), the remote router selectively taking a policy 

30 decision, such as to discard packets. 

8. Network according to claim 7, wherein the remote router comprising a firewall. 



20 



25 



35 9. Network according to claim 6, wherein the router (RT) is comprised in a GGSN 
node. . 

11 
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